Biometric authentication system for enhancing network security

ABSTRACT

A network-based biometric authentication system includes a client computer ( 10 ), a third party server ( 24 ), and a biometric authentication server ( 26 ). A user requests access to a web site hosted by the third party server via the client computer, wherein the third party server communicates a deployable object to the client computer. The client computer executes the deployable object, wherein the object enables the client computer to receive a user name, password, and biometric data from the user and to communicate the user name, password, and biometric data to the biometric authentication server in a secure fashion. The biometric authentication server authenticates the user name, password, and biometric data, and communicates the user name and password to the third party server, which attempts to verify the user name and password in a conventional manner and grants access to the user if the user name and password are verified.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of computer security. Moreparticularly, the present invention involves a system for transparentlyenhancing secure access to a network node by validating a user'sidentity using biometric data, wherein biometric authentication occurson a biometric authentication server and the network node to whichaccess is sought initiates the biometric authentication process.

2. Description of Prior Art

Providing secure Internet transactions has become increasingly importantas use of the Internet for business, financial, and other sensitivetransactions has become ubiquitous. Traditionally, network servershosted by businesses have been programmed to require a user to submitidentification information, such as a user name and a password, beforeallowing the user to access files managed by the server.

Use of such identification information renders the server susceptible toaccess by unauthorized users who obtain a valid user's identificationinformation by, for example, intercepting network communications.Requiring a user's biometric data, such as a fingerprint, beforegranting the user access is known in the art and benefits from the addedmeasure of security inherent in biometric authentication systems. Forexample, fingerprint data and other biometric data cannot be “stolen” aseasily as a user name and password, and, even if stolen, cannot be usedto circumvent security if the system requires the user to submit freshbiometric data via a biometric sensor.

While use of biometric data increases the security of computer networks,it also requires special hardware and software to implement. Forexample, fingerprint-based biometric authentication requires use of afingerprint scanner, driver software for the scanner, and software forauthenticating fingerprint data received via the fingerprint scanner.Authenticating the fingerprint data may include, for example, comparingthe data with fingerprint data stored in a database to determine whetherthe received data matches the stored data. Thus, implementing abiometric authentication system can require significant hardware andsoftware resources that, in some circumstances, render it impractical oreven impossible to implement.

Accordingly, there is a need for an improved network security systemthat does not suffer from the problems and limitations of the prior art.

SUMMARY OF THE INVENTION

The present invention provides an improved biometric authenticationsystem for network transactions. Particularly, the present inventionprovides a system for transparently enhancing secure access to a networknode by validating a user's identity using biometric data, whereinbiometric authentication occurs on a biometric authentication server andthe network node to which access is sought initiates the biometricauthentication process.

A first embodiment of the invention is a computer program for enabling abiometric authentication system, wherein at least a portion of theprogram is stored on a computer-usable medium. The computer programenables a first computer to receive biometric data and identificationinformation from a user and to communicate the biometric data and theidentification information to a second computer. The second computercreates a first transaction identifier, and verifies the identificationinformation by confirming that the biometric data corresponds to atleast a portion of the identification information.

The program further enables a third computer to communicate to thesecond computer a request for at least a portion of the identificationinformation, wherein the request includes a second transactionidentifier. The second computer communicates at least a portion of theidentification information to the third computer if the firsttransaction identifier corresponds to the second transaction identifierand if the biometric data corresponds to at least a portion of theidentification information.

According to a second embodiment of the invention, the program enables afirst computer to communicate a deployable object to a second computervia a network communications medium, wherein the deployable objectenables the second computer to generate a first token, to receiveidentification information and biometric data from a user, to bundle thebiometric data with the token and secure the bundle, and to communicatethe first token to the first computer and the bundle to a thirdcomputer.

The program enables the third computer to create a second token and toverify the first token received from the second computer by determiningwhether the first token corresponds to the second token, and enables thethird computer to verify the biometric data received from the secondcomputer by comparing the received data to biometric data stored in adatabase.

The third computer communicates the identification information receivedfrom the second computer to the first computer if the second tokencorresponds to the first token, if the received biometric data matchesbiometric data stored in the database, and if the biometric datacorresponds to at least a portion of the identification information.

According to a third embodiment of the invention, the program enables anetwork server computer to communicate an ActiveX control to a networkclient computer via a network communications medium, wherein the ActiveXcontrol enables the client computer to generate a first token, toreceive a user name and password from the user, to control a biometricsensor and receive biometric data from the user via the sensor, tocombine and encrypt the biometric data and password, to combine the username with the encrypted biometric data and password to form a bundle andencrypt the bundle, and to communicate the first token to the networkserver computer and the bundle to the biometric authentication server.

The biometric authentication server creates a second token anddetermines whether the first token corresponds to the second token,determines whether the biometric data received from the client matchesbiometric data stored in a database, and determines whether thebiometric data received from the client corresponds to the user name orthe password.

The biometric authentication server communicates the user name andpassword received from the client computer to the network servercomputer if the first token corresponds to the second token, if thebiometric data received from the client matches biometric data stored ina database, and if the biometric data received from the clientcorresponds to the user name or the password.

These and other important aspects of the present invention are describedmore fully in the detailed description below.

BRIEF DESCRIPTION OF THE DRAWINGS

An embodiment of the present invention is described in detail below withreference to the attached drawing figures, wherein:

FIG. 1 is a schematic diagram of an exemplary system for implementing acomputer program in accordance with an embodiment of the presentinvention;

FIG. 2 is a flow diagram of certain steps performed by the computerprogram for providing transparent biometric authentication fornetwork-based transactions;

FIG. 3 is a flow diagram of certain steps performed by the computerprogram for bundling and securing identification and biometricinformation for communication in a network-based transaction; and

FIG. 4 is a schematic diagram of an exemplary communication scheme ofthe system of FIG. 1 involving a biometric authentication server, athird party server, and a client computer, wherein the biometricauthentication server and the third party server are on a first side ofa firewall and communicate via the Internet with the client which is ona second side of the firewall.

DETAILED DESCRIPTION

The present invention relates to a system and method of enhancingnetwork security by providing transparent biometric authentication fornetwork transactions. The method of the present invention is especiallywell-suited for implementation on a computer or computer network, suchas the computer 10 illustrated in FIG. 1 that includes a keyboard 12, aprocessor console 14, a display 16, and one or more peripheral devices18, such as a scanner or printer. The computer 10 may be a part of acomputer network, such as the computer network 20 that includes one ormore client computers 10,22 and one or more server computers 24,26interconnected via a communications system 28. The communications system28 may include, for example, a local area network, wide area network,the Internet, or a combination thereof. As illustrated in FIG. 4, theservers 24 and 26 may be connected to a local area network or otherlocal communication means residing on a first side of a firewall andcommunicate with the client computer 10 residing on a second side of thefirewall via the Internet 28.

The present invention may also be implemented, in whole or in part, on awireless communications system including, for example, a network-basedwireless transmitter 30 and one or more wireless receiving devices, suchas a hand-held computing device 32 with wireless communicationcapabilities, wherein the device 32 is a client of the network 20 andincludes a peripheral element 34. The present invention will thus begenerally described herein as a computer program. It will beappreciated, however, that the principles of the present invention areuseful independently of a particular implementation or embodiment, andthat one or more of the steps described herein may be implementedwithout the assistance of a computing device.

The present invention can be implemented in hardware, software,firmware, or a combination thereof. In a preferred embodiment, however,the invention is implemented with a computer program. The computerprogram and equipment described herein are merely examples of a programand equipment that may be used to implement the present invention andmay be replaced with other software and computer equipment withoutdeparting from the scope of the present invention.

The computer program of the present invention is stored in or on acomputer-usable medium, such as a computer-readable medium, residing onor accessible by a host computer or a plurality of host computers forinstructing the host computer or computers to implement the method ofthe present invention as described herein. The host computer may be aserver computer, such as server computer 24, or a network clientcomputer, such as computer 10 or device 32. The computer programpreferably comprises an ordered listing of executable instructions forimplementing logical functions in the host computer and other computingdevices coupled with the host computer. The computer program can beembodied in any computer-usable medium for use by or in connection withan instruction execution system, apparatus, or device, such as acomputer-based system, processor-containing system, or other system thatcan fetch the instructions from the instruction execution system,apparatus, or device, and execute the instructions.

The ordered listing of executable instructions comprising the computerprogram of the present invention will hereinafter be referred to simplyas “the program” or “the computer program.” It will be understood bythose skilled in the art that the program may comprise a single list ofexecutable instructions or two or more separate lists, and may be storedon a single computer-readable medium or multiple distinct media,including multiple geographically separate media. The program will alsobe described as comprising various “code segments,” which may includeone or more lists, or portions of lists, of executable instructions.Code segments may include overlapping lists of executable instructions,that is, a first code segment may include instruction lists A and B, anda second code segment may include instruction lists B and C.

In the context of this document, a “computer-usable medium” can be anymeans that can contain, store, communicate, propagate or transport theprogram for use by or in connection with the instruction executionsystem, apparatus, or device. The computer-usable medium can be, forexample, but is not limited to, an electronic, magnetic, optical,electromagnetic, infrared, or semi-conductor system, apparatus, device,or propagation medium. More specific, although not inclusive, examplesof the computer-usable medium would include the following: an electricalconnection having one or more wires, a portable computer diskette, arandom access memory (RAM), a read-only memory (ROM), an erasable,programmable, read-only memory (EPROM or Flash memory), an opticalfiber, and a portable compact disk read-only memory (CDROM). Thecomputer-usable medium could even be paper or another suitable mediumupon which the program is printed, as the program can be electronicallycaptured, via for instance, optical scanning of the paper or othermedium, then compiled, interpreted, or otherwise processed in a suitablemanner, if necessary, and then stored in a computer memory. In thecontext of this document, an “object” is a self-contained softwareentity that consists of both data and procedures to manipulate the data.

In a first embodiment, the present invention enables enhanced,transparent network security between a network client computer 10 and athird party network server 24 by employing a biometric identificationserver 26. The client computer 10 may be substantially any conventionpersonal computer or computer workstation with access to the network 20,such as, for example, where the network 20 is the Internet. Thus, theclient computer 10 may be in a user's home, office, vehicle or anotherlocation. The client computer 10 includes a biometric sensor 18 operableto capture the user's biometric data, such as fingerprint data. In thefirst embodiment the biometric sensor 18 is a fingerprint scanner forcapturing fingerprint data, but it will be appreciated thatsubstantially any biometric data may be used without departing from thescope of the claimed invention including, but not limited to, voiceprint data, retinal scan data, iris scan data, facial characteristics,and behavioral characteristics, such as signature data, captured andanalyzed using conventional hardware and processes known in the art.Furthermore, the biometric data used by the claimed invention may be anycombination of one or more types of such biometric data.

The third party network server 24 is a device or system that managesnetwork resources, such as network traffic or network storage devicesdedicated to storing data files, and may be a conventional networkserver computer or server station. More specifically, the third partynetwork server 24 may be a World Wide Web server hosting a web page or aweb site, wherein the server 24 requires user identification beforegranting access to the web page or web site. The third party networkserver 24 may be implemented independently of the client computer 10 andby a third party not associated with the client computer 10.

The biometric authentication server 26 may be similar to the third partynetwork server 24, but is operable to perform a particular function. Thebiometric authentication server 26 is operable to store and manage useridentification information and user biometric information, such wherethe identification information and the biometric information are storedin a database that is accessible by, or resides on, the server 26. Asexplained above, the communications system 28 provides a medium throughwhich the client computer 10, the third party server 24, and thebiometric authentication server 26 communicate via any of variousnetwork communications protocols.

Referring also to FIG. 2, a flow diagram of exemplary steps involved inthe first embodiment of the present invention is illustrated. The stepsillustrated in FIG. 2 need not be executed in precisely the order shown,but a second step illustrated subsequent to a first step may be executedconcurrently with, or in some cased prior to, the first step. The stepsare divided into three columns, wherein a left column generally includessteps performed by the biometric authentication server 26, the middlecolumn generally includes steps performed by the client computer 10, andthe right column generally includes steps performed by the third partyserver 24.

First, a user requests access to the third-party server 24 via theclient computer 10, as depicted in block 36. This step may occur, forexample, when the user desires to engage in online banking and requestsor selects a login page from the bank's web site via a web browserrunning on the client computer 10, wherein the third party server 24requires a valid user name and password to grant access to the web site.It will be appreciated that this scenario is only exemplary in natureand that the third-party server 24 need not be associated with a bank,but may be associated with any business, organization, group,association, or other entity. Furthermore, the user name and passworddiscussed herein are exemplary types of user identification informationrequired by the third party server 24 before granting access to theuser. Alternatively, the third party server 24 may require only the username, only the password, or an entirely different form ofidentification, such as a digital certificate in the form of a data filestored on the client computer 10.

Unless otherwise noted, communications between the client computer 10,the third party server 24, and the biometric authentication server 26are encrypted or otherwise secured to prevent unintended recipients fromopening, reading, or otherwise using communicated data and information.

When the user requests the login page from the third-party server 24 viathe client computer 10, the third party server 24 communicates adeployable object to the client computer 10, as depicted in block 38.The deployable object is a software object that is generated by, resideson, or is retrieved by the third-party server 24, and is executed by theclient computer 10 upon receipt thereof from the third party server 24without the need for the client computer user to perform anyinstallation or initiation steps. In other words, the client computer 10receives and executes the deployable object transparently to the user.The object is “deployable” in that it can be communicated from a firstcomputer to a second computer for execution on the second computer,wherein the object has access to the system resources of the secondcomputer necessary to allow the object to perform all functionscontained therein.

The client computer 10 executes the deployable object, which enables theclient computer 10 to request a token seed from the biometricauthentication server 26, as illustrated in block 40. The token seedserves as a basis to generate multiple identical tokens that are used asencryption and decryption keys as well as to associate a plurality ofevents or items with a single transaction. Thus, the tokens serve astransaction identifiers to enable the biometric authentication server 26to associate a communication from the third party server 24 with acommunication from the client computer 10. This is particularlyimportant where the biometric authentication server 26 is communicatingwith multiple external computers regarding multiple transactions. Thebiometric authentication server generates a token seed and communicatesthe token seed to the client computer 10, as depicted in block 42, andcreates a first token from the token seed, as depicted in block 44. Thefirst token is retained by the biometric authentication server 26 todecrypt communications received from the client computer 10 and toassociate communications from the third party server 24 and thebiometric authentication server 26 with a single transaction.

A preferred deployable object is an ActiveX object, such as an ActiveXcontrol, wherein the ActiveX control is communicated from the thirdparty server 24 to the client computer 10 via a web browser running onthe client computer 10, wherein the ActiveX control can access systemresources of the network client computer 10 but is extinguished from theclient computer 10 when the web browser is terminated or is no longer incommunication with the third party server 24.

When the client computer 10 executes the deployable object, the objectenables the client 10 to create a second token based on the token seed,as depicted in block 46. The second token is identical to the firsttoken or is otherwise associated with the first token such that when thebiometric authentication server 26 receives the second token it canassociate the first token with the second token.

The deployable object enables the client computer 10 to receive ausername, password, and biometric data from the user, as depicted inblock 48. In this step, the client computer 10 presents a user loginpage that prompts the user to submit a username and password inrespective username and password fields. The user login page would alsoprompt the user to submit biometric data, such as fingerprint data via afingerprint scanner. To enable the client computer 10 to receivebiometric data from the user, the deployable object controls thebiometric sensor 18 and provides a bridge between the biometric sensor18 and the user interface of the client computer 10. The deployableobject may interact, for example, with a dynamically linked libraryassociated with the biometric sensor 18 wherein the library providesexecutable functions and data necessary for the deployable object tocommunicate with and control the biometric sensor 18.

Enabling the deployable object to communicate with and control thebiometric sensor 18 reduces the risk of a person circumventing thebiometric scanner 18 because the deployable object can ensure thatbiometric data is received from the biometric sensor 18 at the time theuser submits the user name and password.

The deployable object enables the client computer 10 to bundle the username, password, and biometric data together and secure the bundle, asdepicted in block 50. A flowchart of steps illustrating an exemplarymethod of bundling the user name, password, and biometric data isillustrated in FIG. 3. First, the client computer 10 encrypts thebiometric data and the password using the first token, as depicted inblock 52. The client computer 10 may combine the biometric data and thepassword prior to encryption, wherein such combination may include, forexample, merging the fingerprint data and the password into a singlefile, or creating a file for each of the fingerprint data and thepassword and placing the two files into a single folder. The clientcomputer 10 then bundles the username with the encrypted biometric dataand password, as depicted in block 54. The client computer 10 encryptsthe bundle using the first token as an encryption key, as depicted inblock 58, and encrypts the bundle a second time using the first token asan encryption key, as depicted in block 60.

Thus, the exemplary method of bundling and securing the user name,password, and biometric data comprises a multi-tiered encryption schemeinvolving three levels of encryption. It should also be noted that moresensitive data may be encrypted in a deeper layer than less sensitivedata. The biometric data and the password may be considered moresensitive than the user name, for example, because the biometric data isunique to the user and cannot change, and the password may reflectpasswords employed by the user in other systems or situations.

Referring again to FIG. 2, once the client computer 10 has bundled theuser name, password, and biometric data, the deployable object enablesthe client computer 10 to communicate the bundle to the biometricauthentication server 26 and to communicate the second token to thethird party server 24, as depicted in block 60. Blocks 40, 46, 48, 50,and 60, illustrated inside a broken-line box, represent steps performedby the client computer 10 enabled by the deployable object.

The third party server 24 communicates a copy of the second token to thebiometric authentication server 26 and requests a user name and passwordcorresponding to the second token, as depicted in block 62. Thus, thethird party server 24 does not receive the user name and passworddirectly from the client computer 10, but rather from the biometricauthentication server 26, as explained below.

The biometric authentication server 26 unpacks the bundle received fromthe client 10 using the first token, as depicted in block 64. Unpackingthe bundle is accomplished essentially by reversing the stepsillustrated in FIG.3. For example, the bundle is decrypted a first timeand a second time to reveal the user name, and the encrypted biometricdata and password. The user name is separated from the encryptedbiometric data and password, and the encrypted biometric data andpassword are decrypted and separated. In contrast to the bundlingprocess illustrated in FIG. 3, when the biometric authentication server26 unpacks the bundle, it performs the decryption using the second tokenas a decryption key. Therefore, if the first token does not correspondto the second token, the decryption will fail.

The biometric authentication server 26 verifies the second tokenreceived from the third part server 24 by comparing it with the firsttoken, which was created and retained by the biometric authenticationserver 26. Because both the first token and the second token werecreated from the same token seed, both tokens will be identical orotherwise have a known relationship that can be used to verify that bothwere created from the same token seed and thus pertain to the sametransaction.

The biometric authentication server 26 authenticates the user name,password, and biometric data, as depicted in block 66. The receivedbiometric data is authenticated by comparing it with biometric datastored in a database, wherein the received biometric data isauthenticated if it matches biometric data stored in the database. Theuser name and password are authenticated if they match a user name andpassword that are stored in the database and associated with thebiometric data stored in the database that matches the receivedbiometric data. Alternatively, only a portion of the user identificationinformation may be authenticated, such as only the user name, only thepassword, or a portion of either or both. If the user name, password,and biometric data are thus authenticated, the biometric authenticationserver 26 communicates the user name and the password to the third partyserver, as depicted in block 70. The third party server 24 receives andverifies the user name and password in a conventional manner, asdepicted in block 72. This may involve, for example, comparing the username and password to user names and passwords stored in a database andpresenting the client computer 10 user with a home or welcome page.Alternatively, the biometric authentication server 26 may communicateonly a portion of the identification information, such as only the username or only the password, to the third party server 24.

In a second embodiment of the invention, the wireless device 32communicates with the third party server 24 and the biometricauthentication server 26 in addition to, or in place of, the clientcomputer 10. This embodiment would otherwise be substantially similar toany of the other embodiments described herein, except that the device 32would perform substantially all of the functions described above inrelation to the client computer 10. The user would submit biometric datavia the biometric sensor 34, for example, and would submitidentification information via a conventional user interface (not shown)of the device 32 including, for example, a keypad, LCD, or similar userinterface element or elements. In the second embodiment, the deployableobject may need to be adapted for use with the wireless device 32,particularly if the device 32 is a handheld device or otherwise haslimited resources.

A third embodiment of the invention is substantially similar to eitherthe first or second embodiments, except that the software contained inthe deployable object is installed in and resides upon the clientcomputer 10, the client device 32, or both, instead of beingcommunicated thereto upon the initiation of a transaction. In thisembodiment, the program code executed by the client computer 10 may beinstalled on the client 10 prior to the user requesting access to thethird party server 24 and may reside on the client 10 after eachtransaction. The third party server 24 would communicate only the tokenseed to the client computer 10, rather than the deployable object andthe token seed.

In a fourth embodiment of the invention, the deployable object is storedon or is generated by the biometric authentication server 26, and iscommunicated from the biometric authentication server 26 directly to theclient computer 10 or, alternatively, to the third party server 24,which in turn communicates the object to the client computer 10.

Although the invention has been described with reference to thepreferred embodiments illustrated in the attached drawings, it is notedthat equivalents may be employed and substitutions made herein withoutdeparting from the scope of the invention as recited in the claims. Itwill be appreciated, for example, that the client computer 10, the thirdparty server 24, and the biometric authentication server 26 may beinterconnected via any of various communication means including, forexample, peer-to-peer communication protocols.

1. A computer program for enabling a biometric authentication system,wherein at least a portion of the program is stored on a computer-usablemedium, the computer program comprising: a code segment for enabling afirst computer to receive biometric data and identification informationfrom a user and to communicate the biometric data and the identificationinformation to a second computer; a code segment for enabling the secondcomputer to create a first transaction identifier, and to verify theidentification information received from the first computer byconfirming that the biometric data corresponds to at least a portion ofthe identification information; a code segment for enabling a thirdcomputer to communicate to the second computer a request for at least aportion of the identification information, wherein the request includesa second transaction identifier; and a code segment for enabling thesecond computer to communicate at least a portion of the identificationinformation to the third computer if the first transaction identifiercorresponds to the second transaction identifier and if the biometricdata corresponds to at least a portion of the identificationinformation.
 2. The computer program as set forth in claim 1, furthercomprising a code segment for enabling the third computer to communicatean object to the second computer, wherein the object includes the codesegment for enabling the first computer to receive biometric data andidentification information from a user and to communicate the biometricdata, the identification information to the second computer.
 3. Thecomputer program as set forth in claim 2, wherein the object is anActiveX object.
 4. The computer program as set forth in claim 3, whereinthe third computer communicates the ActiveX object to the first computerin response to a user-initiated request to access a file managed by thethird computer.
 5. The computer program as set forth in claim 4, whereinthe third computer is a network server that communicates the ActiveXobject in response to a user-initiated request to access a web sitehosted by the third computer.
 6. The computer program as set forth inclaim 1, wherein the identification information includes a user name anda password.
 7. The computer program as set forth in claim 6, furthercomprising a code segment for enabling the first computer to combine andencrypt the biometric data and the password, to combine the user namewith the encrypted biometric data and password to form a bundle, toencrypt the bundle, and to communicate the encrypted bundle to thesecond computer.
 8. The computer program as set forth in claim 1,wherein the first computer is a hand-held wireless device.
 9. Thecomputer program as set forth in claim 1, further comprising: a codesegment for enabling the first computer to request and receive a tokenseed from the second computer; a code segment for enabling the firstcomputer to create a first token based on the token seed, wherein thefirst token forms at least part of the first transaction identifier; anda code segment for enabling the second computer to create a second tokenbased on the token seed, wherein the second token forms at least part ofthe second transaction identifier.
 10. The computer program as set forthin claim 9, further comprising: a code segment for enabling the firstcomputer to encrypt the biometric data and the password using at least aportion of the first token, to combine the user name with the encryptedbiometric data and password to form a bundle, to encrypt the bundleusing at least a portion of the first token, and to communicate theencrypted bundle to the second computer; and a code segment for enablingthe second computer to decrypt the bundle using at least a portion ofthe second token.
 11. The computer program as set forth in claim 1,wherein the biometric data is chosen from the group consisting offingerprint data, voice print data, retinal scan data, iris scan data,facial characteristics, and signature data.
 12. A computer program forenabling a biometric authentication system, at least a portion of theprogram being stored on a computer-usable medium, the computer programcomprising: a code segment for enabling a first computer to communicatea deployable object to a second computer via a network communicationsmedium, wherein the deployable object enables the second computer togenerate a first token, to receive identification information andbiometric data from a user, to bundle the identification informationwith the biometric data and secure the bundle, and to communicate thefirst token to the first computer and the bundle to a third computer; acode segment for enabling the first computer to communicate the firsttoken to the third computer; a code segment for enabling the thirdcomputer to create a second token and to verify the first token receivedfrom the first computer by determining whether the first tokencorresponds to the second token; a code segment for enabling the thirdcomputer to verify the biometric data received from the second computerby comparing the received data to biometric data stored in a database;and a code segment for enabling the third computer to communicate theidentification information received from the second computer to thefirst computer if the second token corresponds to the first token, ifthe received biometric data matches biometric data stored in thedatabase, and if the biometric data corresponds to at least a portion ofthe identification information.
 13. The computer program as set forth inclaim 12, wherein the identification information includes a user nameand a password.
 14. The computer program as set forth in claim 13,further comprising a code segment for enabling the second computer tocombine and encrypt the biometric data and the password using the firsttoken as an encryption key, to combine the user name with the encryptedbiometric data and the password to form a bundle, and to encrypt thebundle using the first token as an encryption key.
 15. The computerprogram as set forth in claim 12, wherein the biometric data is chosenfrom the group consisting of fingerprint data, voice print data, retinalscan data, iris scan data, facial characteristics, and signature data.16. The computer program as set forth in claim 12, wherein thedeployable object is an ActiveX object.
 17. The computer program as setforth in claim 12, wherein the second computer is a handheld wirelessdevice.
 18. The computer program as set forth in claim 12, furthercomprising: a code segment for enabling the third computer to generate atoken seed and to create the second token based at least in part on thetoken seed, wherein the deployable object enables the second computer torequest and receive the token seed from the third computer and togenerate the first token based at least in part on the token seed.
 19. Acomputer program for enabling a biometric authentication system, atleast a portion of the program being stored on a computer-usable medium,the computer program comprising: a code segment for enabling a networkserver computer to communicate an ActiveX control to a network clientcomputer via a network communications medium, wherein the ActiveXcontrol enables the client computer to generate a first token, toreceive a user name and password from the user, to control a biometricsensor and receive biometric data from the user via the sensor, toencrypt the biometric data and password using the first token as anencryption key, to combine the first token and the user name with theencrypted biometric data and password to form a bundle and encrypt thebundle using the first token as an encryption key, and to communicatethe first token to the network server computer and the bundle to thebiometric authentication server; a code segment for enabling the networkserver computer to communicate the first token to the biometricauthentication server; a code segment for enabling the biometricauthentication server to create a second token and to determine whetherthe first token corresponds to the second token; a code segment forenabling the biometric authentication server to determine whether thebiometric data received from the client matches biometric data stored ina database; a code segment for enabling the biometric authenticationserver to determine whether the biometric data received from the clientcorresponds to the user name or the password; and a code segment forenabling the biometric authentication server to communicate the username and password received from the client computer to the networkserver computer if the first token corresponds to the second token, ifthe biometric data received from the client matches biometric datastored in a database, and if the biometric data received from the clientcorresponds to the user name or the password.
 20. The computer programas set forth in claim 19, wherein the ActiveX control enables the clientcomputer to request and receive a token seed from the biometricauthentication server.
 21. The computer program as set forth in claim 20further comprising a code segment for enabling the biometricauthentication server to create the token seed, to create the secondtoken based on the seed, and communicate the seed to the clientcomputer.
 22. The computer program as set forth in claim 20, wherein theActiveX control enables the client computer to generate the first tokenbased at least in part on the token seed.
 23. A method of providingbiometric authentication to a network security system, the methodcomprising: enabling a first computer to receive biometric data andidentification information from a user and to communicate the biometricdata and the identification information to a second computer; enablingthe second computer to create a first transaction identifier and toverify the identification information by confirming that the biometricdata corresponds to at least a portion of the identificationinformation; communicating a request from a third computer to the secondcomputer, wherein the request is for at least a portion of theidentification information and wherein the request includes a secondtransaction identifier; and communicating from the second computer tothe third computer at least a portion of the identification informationif the first transaction identifier corresponds to the secondtransaction identifier and if the biometric data corresponds to at leasta portion of the identification information.
 24. The method as set forthin claim 23, further comprising enabling the third computer tocommunicate an object to the second computer, wherein the object enablesthe first computer to receive the biometric data and identificationinformation from a user and to communicate the biometric data and theidentification information to the second computer.
 25. The method as setforth in claim 24, wherein the object controls a biometric sensorperipheral device associated with the second computer to capture thebiometric data.
 26. The method as set forth in claim 23, wherein theidentification information includes a user name and a password.
 27. Themethod as set forth in claim 26, further comprising enabling the firstcomputer to combine and encrypt the biometric data and the password, tocombine the user name with the encrypted biometric data and password toform a bundle, to encrypt the bundle, and to communicate the encryptedbundle to the second computer.
 28. A method of providing biometricauthentication to a network security system, the method comprising:communicating a deployable object from a first computer to a secondcomputer via a network communications medium, wherein the deployableobject enables the second computer to create a first token, to receiveidentification information and biometric data from a user, to bundle theidentification information with the biometric data and secure thebundle, and to communicate the first token to the first computer and thebundle to a third computer; enabling the first computer to communicatethe first token to the third computer and to request identificationinformation from the third computer corresponding to the first token;enabling the third computer to create a second token and to verify thefirst token received from the first computer by determining whether thefirst token corresponds to the second token; enabling the third computerto verify the biometric data received from the second computer bycomparing the received data to biometric data stored in a database; andcommunicating the identification information from the third computer tothe first computer if the second token corresponds to the first token,if the received biometric data matches biometric data stored in thedatabase, and if the biometric data corresponds to at least a portion ofthe identification information.
 29. The method as set forth in claim 28,wherein the object controls a biometric sensor peripheral deviceassociated with the second computer to capture the biometric data. 30.The method as set forth in claim 28, wherein the identificationinformation includes a user name and a password.
 31. The method as setforth in claim 30, wherein the deployable object enables the secondcomputer to combine and encrypt the biometric data and the passwordusing the first token as an encryption key, to combine the user namewith the encrypted biometric data and password to form the bundle, toencrypt the bundle using the first token as an encryption key, and tocommunicate the encrypted bundle to the third computer.
 32. A computerprogram for enabling at least a portion of a biometric authenticationsystem, at least a portion of the program being stored on acomputer-usable medium, the computer program comprising: a code segmentfor enabling the computer to receive a token seed from a first externallocation; a code segment for enabling the computer to create a tokenbased on the token seed; a code segment for enabling the computer toreceive identification information and biometric data from a user; acode segment for enabling the computer to encode the identificationinformation and the biometric data using the token; a code segment forenabling the computer to communicate the token to a second externallocation; and a code segment for enabling the computer to communicatethe encoded identification information and biometric data to the firstexternal location.
 33. The computer program as set forth in claim 32,further comprising: a code segment for enabling the computer to receivea request from a user to view information stored at the second externallocation; and a code segment for enabling the computer to receive adeployable object from the second external location, the deployableobject including the code segments for enabling the computer to receivethe token seed from the first external location, create the token basedon the token seed, receive the identification information and thebiometric data from the user, encrypt the identification information andthe biometric data using the token, communicate the token to the secondexternal location, and communicate the encrypted identificationinformation and biometric data to the first external location.
 34. Acomputer program for enabling at least a portion of a biometricauthentication system, at least a portion of the program being stored ona computer-usable medium, the computer program comprising: a codesegment for enabling the computer to receive a request for a token seedfrom a first external location; a code segment for enabling the computerto communicate the token seed to the first external location; a codesegment for enabling the computer to create a token based on the tokenseed; a code segment for enabling the computer to receive encodedidentification information and biometric data from the first externallocation; a code segment for enabling the computer to decode the encodedidentification information and biometric data using the token; a codesegment for enabling the computer to authenticate the identificationinformation and biometric data by comparing the identificationinformation and biometric data to stored information; and a code segmentfor enabling the computer to communicate the identification informationand biometric data to a second external location if the identificationinformation and biometric data are valid.
 35. A computer program forenabling at least a portion of a biometric authentication system, atleast a portion of the program being stored on a computer-usable medium,the computer program comprising: a code segment for enabling thecomputer to receive a request from a first external location to accessinformation stored on the computer; a code segment for enabling thecomputer to communicate a deployable object to the first externallocation, the deployable object including computer-executable codesegments for receiving a token seed, creating a token based on the tokenseed, receiving identification information and biometric data from auser, encoding the identification information and the biometric datausing the token, and communicating the token to the computer andcommunicating the encoded identification information and biometric datato a second external location; a code segment for enabling the computerto receive the token; a code segment for enabling the computer tocommunicate the token to the second external location and to request theidentification information and biometric data from the second externallocation; and a code segment for enabling the computer to receive theidentification information from the second external location and toverify the identification information.